Merge pull request #324 from Mirantis/crud

User access CRUD changed for user
Mirantis · Jun 26, 2018 · d9c8d85 · d9c8d85
2 parents 7d35e38 + 10e5294
commit d9c8d85
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 3 deletions.
diff --git a/docs/kqueen.rst b/docs/kqueen.rst
@@ -159,6 +159,39 @@ pattern.
       - 127.0.0.0/8
       - Addresses allowed to access metrics endpoint without token
 
+
+Default user access configuration
+_________________________________
+
+Default CRUD (Create, Read, Update, Delete) model for KQueen user roles.
+
+Superadmin view
+~~~~~~~~~~~~~~~
+
+- ``CRUD`` all organizations.
+- ``CRUD/Manage`` all members.
+- ``CRUD/Manage`` all member roles.
+- Full admin rights.
+
+Admin view
+~~~~~~~~~~
+
+- Invite/remove members in own organization (Email/LDAP).
+- ``CRD`` all provisioners.
+- ``CRUD`` all clusters.
+- Collect Prometheus metrics.
+- Full user rights.
+
+
+User view
+~~~~~~~~~
+
+- Login.
+- ``R`` organization members.
+- ``R`` provisioners.
+- ``CRUD`` self clusters.
+
+
 Before you provision a Kubernetes cluster, you may need to deploy and configure
 the following external services:
 

diff --git a/kqueen/config/default_policy.json b/kqueen/config/default_policy.json
@@ -9,11 +9,11 @@
     "organization:get": "ALL",
     "organization:list": "ALL",
     "organization:update": "IS_SUPERADMIN",
-    "provisioner:create": "ALL",
-    "provisioner:delete": "ADMIN_OR_OWNER",
+    "provisioner:create": "IS_ADMIN",
+    "provisioner:delete": "IS_ADMIN",
     "provisioner:get": "ALL",
     "provisioner:list": "ALL",
-    "provisioner:update": "ALL",
+    "provisioner:update": "IS_ADMIN",
     "user:create": "IS_ADMIN",
     "user:delete_member": "IS_ADMIN",
     "user:delete_admin": "IS_ADMIN",